In a Nutshell | 7/7/26
AI Tools as a Threat to Trade Secrets: What Do Companies Need to Consider?
Companies now routinely use AI tools such as ChatGPT, Claude, Gemini, or DeepL – for text generation, translation, or data analysis. What is often overlooked: with every prompt containing confidential information, a trade secret may potentially leave the company’s sphere.
Companies must take precautions against the associated legal risks. While AI tools are now firmly integrated into daily workflows, awareness of the corresponding confidentiality risks often lags behind.
Key Takeaways:
- Anyone who enters confidential company information into external AI applications risks losing trade secret protection under the German Trade Secrets Act (Geschäftsgeheimnisgesetz – GeschGehG) – with civil law and employment law consequences.
- Companies that fail to establish clear AI usage guidelines jeopardize the protectability of their trade secrets as a whole.
- Conversely, liability risks arise when third-party trade secrets – such as those of customers or cooperation partners – are processed through the use of AI. Compliance frameworks must therefore address both perspectives.
How Trade Secrets Can Be Compromised Through AI Usage
The risk became evident through an incident at technology company Samsung in May 2023: Engineers had entered confidential source code and internal meeting notes on product strategies into ChatGPT. Since OpenAI, the operator of ChatGPT, had reserved the right in its terms of use to utilize user inputs for AI training, this information subsequently resided with OpenAI and could be used for training purposes. Samsung responded with a company-wide ban on the use of AI tools.
Similar risks exist with AI-powered translation services such as DeepL or Google Translate: Here too, entered texts are transmitted to external servers and may be used for training purposes.
Trade Secret Law Assessment: Is Protection Maintained?
Under the GeschGehG, information is protected as a trade secret if it is not generally known – i.e., secret –, derives economic value from this secrecy, and the trade secret holder has taken reasonable confidentiality measures. Once any of these requirements ceases to apply, protection is lost.
Whether the protection of a trade secret expires through transmission to an AI tool depends first on whether the information thereby becomes generally known or readily accessible. This is generally not the case when entering an AI training database: A targeted reconstruction of the input by other users is hardly foreseeable given the functioning of modern AI systems and is therefore unlikely.
More delicate is the subsequent question of whether the holder can continue to ensure sufficient trade secret protection through reasonable confidentiality measures in such cases. An overall assessment of all protective measures taken and omitted is decisive. A systematic lack of interest has devastating effects: Anyone who knowingly permits their employees’ AI usage without any instruction, fails to establish guidelines, and tolerates known violations risks losing statutory protection. Conversely, a company may be exonerated if an employee only acts contrary to instructions in an isolated case or even circumvents technical safeguards to do so.
Potential infringers are primarily the employees themselves who disclose secrets without authorization – regardless of whether they are aware that the information constitutes a trade secret. In addition to trade secret law claims, employment law consequences up to and including termination without notice may apply.
The AI provider itself is generally not liable. There is no direct act of access, as the information is not obtained by the provider itself but through the intermediary AI user, which is insufficient for liability. The provider has no material influence over what content users enter and whether this is done lawfully.
Converse Risk: Infringement of Third-Party Trade Secrets Through AI Use
Conversely, companies themselves may become infringers when they or their employees process third-party secrets through the use of AI tools – such as information from customers or cooperation partners. Where contractual confidentiality obligations exist, transmitting such information to external AI systems is generally prohibited.
If a third party’s trade secret unlawfully enters an AI’s training database, it cannot be ruled out that it may resurface as output in response to an appropriate prompt from another user. Liability for the company is particularly threatened when the relevant information was transmitted within a contractual relationship and contractual confidentiality obligations prohibit disclosure to third parties, including AI tools. Against this background, companies should always exercise the same care with third-party secrets as they do in protecting their own confidential information.
Conclusions and Recommendations for Practice
Companies should systematically address AI-related risks to their trade secrets. An effective protection framework should include in particular:
- Clear internal guidelines on the use of AI tools, including prohibitions or restrictions for applications where particular risks exist
- Regular training and documented risk advisories for employees
- Technical measures, such as data-protective settings (e.g., ensuring that entered data is not used for AI training) or the acquisition of enterprise licenses with stricter confidentiality provisions than the free versions
- Where possible, contractual provisions to maintain confidentiality vis-à-vis AI providers, suppliers, and new employees
- A compliance framework that also covers the handling of third-party trade secrets
This article provides a non-binding overview of the subject matter and does not constitute legal advice. For further information or personal consultation, please contact:
Professionals
FAQ
- Does a company lose its trade secret protection if an employee transmits a trade secret to an AI application?
- How can companies use AI to optimize their processes without jeopardizing their trade secrets?
- What is meant by “data-protective settings”?
- Who is liable if an employee accidentally enters secrets into an AI tool?
- Is the AI provider (e.g. OpenAI) liable for the use of entered secrets?